CVE-2009-1136

Microsoft Office OWC10.Spreadsheet ActiveX msDataSourceObject() Heap Corruption Vulnerability

Severity Score

9.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11), as distributed in Office XP SP3 and Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 Gold and SP1, and Office Small Business Accounting 2006, when used in Internet Explorer, allows remote attackers to execute arbitrary code via a crafted call to the msDataSourceObject method, as exploited in the wild in July and August 2009, aka "Office Web Components HTML Script Vulnerability."

El control ActiveX de Microsoft Office Web Components Spreadsheet (también se conoce como OWC10 u OWC11), distribuido en Office XP SP3 y Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 para 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 y 2006 versión Gold y SP1, y Office Small Business Accounting 2006, de Microsoft, cuando se utiliza en Internet Explorer, permite a los atacantes remotos ejecutar código arbitrario por medio de una llamada diseñada al método msDataSourceObject, tal y como se explotó “in the wild” en julio y agosto de 2009, también se conoce como "Office Web Components HTML Script Vulnerability".

This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Office. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
The specific flaw exists during the processing of malicious parameters to the routine msDataSourceObject() and results in transfer of control to unallocated memory. This issue can be exploited to execute arbitrary code under the context of the currently logged in user.

*Credits: Peter Vreugdenhil

CVSS Scores

NISTv2 9.3

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2009-03-25 CVE Reserved
2009-07-14 CVE Published
2009-07-16 First Exploit
2024-08-07 CVE Updated
2024-11-11 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (11)

URL	Tag	Source
http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx	X_refsource_confirm
http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx	X_refsource_confirm
http://isc.sans.org/diary.html?storyid=6778	X_refsource_misc
http://www.us-cert.gov/cas/techalerts/TA09-223A.html	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5809	Signature

URL	Date	SRC
https://www.exploit-db.com/exploits/9163	2009-07-16
https://www.exploit-db.com/exploits/16537	2010-07-20
http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/owc_spreadsheet_msdso.rb	2024-08-07
http://xeye.us/blog/2009/07/one-0day	2024-08-07

URL	Date	SRC

URL	Date	SRC
http://www.microsoft.com/technet/security/advisory/973472.mspx	2018-10-12
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043	2018-10-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microsoft Search vendor "Microsoft"		Isa Server Search vendor "Microsoft" for product "Isa Server"				2004 Search vendor "Microsoft" for product "Isa Server" and version "2004"		sp3, enterprise		Affected
Microsoft Search vendor "Microsoft"		Isa Server Search vendor "Microsoft" for product "Isa Server"				2004 Search vendor "Microsoft" for product "Isa Server" and version "2004"		sp3, standard		Affected
Microsoft Search vendor "Microsoft"		Isa Server Search vendor "Microsoft" for product "Isa Server"				2006 Search vendor "Microsoft" for product "Isa Server" and version "2006"		-		Affected
Microsoft Search vendor "Microsoft"		Isa Server Search vendor "Microsoft" for product "Isa Server"				2006 Search vendor "Microsoft" for product "Isa Server" and version "2006"		sp1		Affected
Microsoft Search vendor "Microsoft"		Isa Server Search vendor "Microsoft" for product "Isa Server"				2006 Search vendor "Microsoft" for product "Isa Server" and version "2006"		supportability		Affected
Microsoft Search vendor "Microsoft"		Office Search vendor "Microsoft" for product "Office"				2003 Search vendor "Microsoft" for product "Office" and version "2003"		small_business_accounting_2006		Affected
Microsoft Search vendor "Microsoft"		Office Search vendor "Microsoft" for product "Office"				2003 Search vendor "Microsoft" for product "Office" and version "2003"		sp3		Affected
Microsoft Search vendor "Microsoft"		Office Web Components Search vendor "Microsoft" for product "Office Web Components"				2003 Search vendor "Microsoft" for product "Office Web Components" and version "2003"		sp1, 2007_microsoft_office		Affected
Microsoft Search vendor "Microsoft"		Office Web Components Search vendor "Microsoft" for product "Office Web Components"				2003 Search vendor "Microsoft" for product "Office Web Components" and version "2003"		sp3		Affected
Microsoft Search vendor "Microsoft"		Office Web Components Search vendor "Microsoft" for product "Office Web Components"				xp Search vendor "Microsoft" for product "Office Web Components" and version "xp"		sp3		Affected
Microsoft Search vendor "Microsoft"		Office Xp Search vendor "Microsoft" for product "Office Xp"				sp3 Search vendor "Microsoft" for product "Office Xp" and version "sp3"		-		Affected